Tuesday, June 21, 2016

The Vulnerabilities Equities Process is not a Panacea

I wanted to post this paper and discuss a few things in it and how Policy-writ-large tends to make mistakes in this area, simply by oversimplifying. (For reference, these posts un-simplify the issues a bit: Post 1, Post 2)

First, I want to include their bios, since they are relevant. Then we can discuss some of the recommendations of the paper, and the larger strategic issues, and some of the strange implications implicit in their paper.

TL;DR: Ari Schwartz was on the NSC and did policy work at the White House.

TL;DR: Robert Knake was on the NSC and did policy work at the White House

The Vulnerabilities Equities Process implies at its root that we have a coherent national strategy when it comes to cyber issues (which we arguably do not). And the fundamental weakness of it all is that it implies you have enough centralized knowledge to make gritty decisions on particular vulnerabilities and their possible future effects, which is a massive tasking all on its own.

But assuming all of that is palatable, let's look at just one of the recommendations and examine it for "unintended consequences".

Page 15 has a number of bullet points of this type.

This is the kind of blanket recommendation that the paper is fond of, but which has some huge consequences if taken seriously. For example, the Government is using tax dollars to buy vulnerabilities for the express purpose of accomplishing strategic needs. If you restrict the license you purchase vulnerabilities or offensive information tools to only those which you obtain full rights to, then you might as well in-house the whole effort.

Requiring full exclusive rights to things you buy drives the price up of those things. And in many cases, because those rights are not available, or the seller chooses not to make them available, it drives the seller to other markets. So the obvious corollary to this bullet point is that they have to mandate strict controls upon the sale or transfer of vulnerability information to parties other than the USG. This would be ten times as futile, intrusive, and expensive as the proposed Wassenaar cyber regulations, which have been essentially killed in this country already. This, all in the misbegotten dream of "draining the endless swamp" of vulnerabilities in software.

The Government is not a catch-all vulnerability bounty program for all of the world's information technology, nor does it have the budget to pretend to be. But for some reason, certain policy makers think it should take on this role, as if budgetary constraints and mission timeliness were not things.

The budgetary issue is hardly the only issue with the VEP, which is emblematic of the struggle US Government policy has with figuring out if every cyber vulnerability is a strategic systematic risk. But before we rush to cement the VEP policies in place, we need to figure out what the implications are for the policy proposals on the table, because on the face of it, they are not wise or well thought through.